Way Too Easy to Alter

An 11-year-old at a hacker convention changed the vote tally on a replica secretary of state election data website in under 10 minutes, and 30 other kids hacked similar sites in under 30 minutes. Are our votes being correctly recorded on election day, or have the vote-fraud activists been right all along?

By Mark Anderson

In less than 10 minutes an 11-year-old boy was able to hack into a replica of a state election website and change voting results. An 11-year-old girl named Audrey made changes to the same website in under 15 minutes. In sum, more than 30 kids hacked similar replica state sites in under 30 minutes. This is certainly alarming news considering a majority of U.S. votes are now cast via electronic voting machines.

The youth cyber-security competition was part of the Vote Hacking Village at this year’s DEF CON, held Aug. 9-12 at Caesar’s Palace. DEF CON, held annually since 1993 in Las Vegas, is among the world’s largest hacking conventions.

Young Emmett Brewer of Austin, Texas, “accessed a replica of the Florida secretary of state’s website” and altered the record of votes, which had already been counted and were simply posted online for media and public access.

DEF CON spokeswoman Molly Hall assured AFP Aug. 20 that while the young hackers were able to hack into and dramatically alter the results of already-counted votes, the minors were not involved in trying to hack into actual voting machines used at polling places. Ms. Hall said the effort by adult hackers to access and change the data in voting machines was a separate component of the Hacking Village. A third component saw adult hackers successfully access Ohio’s voter-registration data, though they were not able to alter it.

“Emmett was able to change names, vote numbers, and the parties,” Ms. Hall said, adding that the young hacker even inserted his own name as a “winning” candidate.

A DEF CON tweet paints a much broader picture of the Hacking Village’s findings than what the mainstream media has presented, noting: “The Village had participants find or replicate vulnerabilities ranging from passwords stored on the [voting] machines with no encryption, to buffer overflows in critical input routines.”

Specific hacks also included:

“Discovering 1,784 files, including mp3 audio files of Chinese pop songs, hidden among the operating system files of a voting machine;

“Hacking a mock election so that an unlisted candidate received the most votes; and

“Hacking an email ballot [often used by soldiers overseas] so that the recorded vote was different from what was selected.”

Nico Sell, the co-founder of the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, told “PBS NewsHour”: “These are very accurate replicas of all of the [S.O.S.] sites. These things should not be easy enough for an 8-year-old kid to hack within 30 minutes; it’s negligent for us as a society.”

Interestingly, one of the “big three” voting machine manufacturers—Election Systems and Software, or ES&S—raised “questions about the value of the Voting Village,” noted DEF CON. “It is unfortunate that ES&S is making vague and unsupportable threats that distract from the real issue: the integrity and security of our electoral process.”

ES&S’s comments seem “designed to create questions and cast doubt in the minds of researchers and election officials, discouraging them from pursuing these vital lines of inquiry,” DEF CON added.

ES&S sent a “proactive” message to its “valued customers” the day before DEF CON began, in part complaining about DEF CON hackers’ access to the all-important secretive, proprietary software with which the voting machines operate: “Often jurisdictions that purchase new [vote-counting] equipment will sell or trade their used hardware, which is a legal transaction. We understand that DEF CON organizers and other researchers have obtained equipment in this manner. What is not legal, however, is the transfer of the use of the software . . . unless [it has] been properly licensed to the new owner. ES&S has not licensed software to any non governmental agencies for their use.”

Election-fraud researcher Jim Condit Jr. understands election fraud from its earlier days before computer hacking was possible and points out that the core problem is internal, not external—because the big three vendors’ electronic voting machines used almost universally in the U.S. can be internally programmed to “flip” votes and steal an election without a necessity for external hacking.

“It’s the big-three voting machine vendors, ES&S, Hart InterCivic, and Dominion that need to be investigated for keeping the true vote-count from the public,” Condit told AFP.

Furthermore, given what happened at DEF CON, Condit expects an intensified effort to centralize elections.

“Are they only admitting this vulnerability [at DEF CON], so they can centralize things?” he wondered, adding, “Yes, an 11-year-old can do this, but now let’s hand it over to DHS [the Department of Homeland Security] to keep things ‘safe.’ ”

Of note, on Aug. 15, DHS completed a three-day “National Exercise on Election Security,” described as the “first of its kind.” While the exercise simulated “voter system interference” scenarios, the gathering drew officials from the District of Columbia and 44 states, along with the Election Assistance Commission, the Departments of Defense and Justice, the Office of the Director of National Intelligence, the National Institute of Standards and Technology, the National Security Agency, and U.S. Cyber Command.

While the “suits and spooks” at the DHS event poured over external-interference scenarios, all initial vote counts should be done manually, at the precinct level, with paper ballots without externally hackable or internally alterable machines to begin with, said Condit.